The White House released its Cyberspace Policy Review last Friday. For 60 days of effort its not bad and it is nice to see focused attention on this topic. It takes a pretty comprehensive view across cyber security from intrusion detection, viruses, digital leak protection, privacy and network integrity. It is not technical at all; it is a document used to begin policy discussions. The review also takes a view the the US is not in it alone and this all needs to be done as a global initiative. I like that.
What does it say about IAM? There are some interesting comments in Section V: “Establish Identity Management as an Option”
The first paragraph of this section focuses on authentication.
“Authentication mechanisms also can help ensure that online transactions only involve trustworthy data, hardware, and software for networks and devices. With the systems available today for most Internet transactions, the electronic equivalent of cues people use to establish trust might be absent, incomplete, or difficult to understand and act upon. Identity management has the potential to help individuals and organizations form trusted communities based on varying degrees of identity exposure and mutually agreed accountability, while helping exclude unwanted intruders or inappropriate membership.”
I hear in this identity federation, online strong authentication, and better mechanisms to build trust between parties that need to trust each other better. Things like user-centric identity and the Vendor Relationship Management (VRM) initiative Eve Maler talked about in her keynote at EIC 2009 come to mind. Coincidentally I also had a two part blog about building trust relationships and how the phases of trust work so it was nice to read this. I still think going back to the basics of trust relationships is an area of substantial opportunity for the community.
The second part of this section talks to the need for privacy enhancements. It reiterates again about online trust for transactions. It also says:
“The Nation should implement…an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.”
Sounds like cloud computing concepts to me. More specifically offering identity services in the cloud to allow persons to quickly build and assert relationships. Also technologies to represent yourself through a set of different personas thereby being able to control privacy. Most likely this would not be a government led thing, however, but possibly government supported. Our government can be very good at getting things done indirectly.
“The National Science and Technology Council’s (NSTC’s) Subcommittee on Biometrics and Identity Management in 2008 published a report that provides a vision for future federal identity management and a series of research and development recommendations. The Federal government should use this report as a starting point for identity management strategies.”
Personally haven’t read this yet but you can guess what’s next on my reading list (and possibly future post).
This next one was so tactical and specific it is out of place with everything else in the review that is much higher level and strategic. It makes you wonder if it was included for political reasons. It basically says the government should get on with the program it started years ago, get it done, and consider that technology elsewhere.
“The Federal government, following the guidance of Homeland Security Presidential Directive 12 (HSPD-12), is seeking to leverage the federal interoperable identity credentialing mechanism across the federal enterprise. The Federal government should ensure resources are available for full federal implementation of HSPD-12. The Federal government also should consider extending the availability of federal identity management systems to operators of critical infrastructure and to private-sector emergency response and repair service providers for use during national emergencies.”
I’ve blogged about HSPD-12 recently and its current status. There is work to do but isn’t that stating the obvious in a strategy review document by the acting Cyber security Czar? The second part relating to emergency response was covered in Part 2 of the building trust post. I am a little more skeptical there and still hold the opinion there may be a better way. But again, why was HSPD-12 in there? It is one specific, albeit the largest, government identity management program.
The review concludes with a recommended set of near and mid-term proposed action plans. Specific to IAM in the near-term:
“9. In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”
Specific to IAM in the mid-term:
“13. Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.”
“14. Refine government procurement strategies and improve the market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.”
So in summary I take away the following areas of relevance:
- Better, stronger authentication online
- User-centric identity
- Vendor relationship management
- Identity services in the cloud
- identity federation
- Strong authentication with smart cards
Note, I realize these are not mutually exclusive.
All in all a fairly typical government document – at least the ones not classified. Again, it is nice to see the emphasis on cyber security in our federal government. Our homeland is much more than the land we walk on.
Posts
0 comments:
Post a Comment